Second NSA-Developed Encryption Tool Discovered In RSA’s Security Kit

Computer security firm RSA incorporated two, rather than one, encryption tools developed by the National Security Agency (NSA), allowing the spy agency to eavesdrop on Internet communications even easier than previously thought, Reuters reported on Monday, citing university researchers who discovered the second tool.

The issue of RSA’s cooperation with the NSA was brought to light last December, when leaks by former NSA contractor Edward Snowden revealed the agency had paid RSA, now owned by EMC Corp., $10 million to insert a secret back door into its widely-used encryption method.

But the latest evidence discovered by a group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere reveals that a second NSA-supplied tool was also involved, one that gave the agency the ability to crack RSA’s encryption “tens of thousands of times faster.”

It is not clear the extent to which the second tool, known as the “Extended Random” extension for secure websites, was employed in RSA’s BSafe security kit. RSA says the optional software, which was pulled in recent months, was rarely used.

Nevertheless, the discovery of the second tool’s existence sheds light on how the NSA extended the reach of its surveillance program under the guise of advising companies on protection, and suggests the agency had virtually free rein when monitoring some Internet sites.

For its part, RSA says the issue boils down to the company’s trust in the US government.

“We could have been more skeptical of NSA’s intentions,” RSA Chief Technologist Sam Curry told Reuters.

“We trusted them because they are charged with security for the US government and US critical infrastructure.”

Curry declined to say whether RSA had received any payment from the government for incorporating Extended Random into its BSafe security kit.